AWS Organizations and Consolidated Billing
What, Why & How of AWS organizations - account management service
What are AWS Organizations?
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes consolidated billing and account management capabilities that enable you to better meet the budgetary, security, and compliance needs of your business. As an administrator of an organization, you can create accounts in your organization and invite existing accounts to join the organization.
Let’s understand some core terminology:
- Organization: An overall entity which holds all your AWS account.
- Root Account: Parent account for all your account. You can have only one root account and it is created when you create an organization.
- Organization Unit: A container for an account within the root account. An OU also can contain other OUs, enabling you to create a hierarchy that resembles an upside-down tree, with a root at the top and branches of OUs that reach down, ending in accounts that are the leaves of the tree.
- Account: A standard AWS account which contains your AWS resources. We can create a new account in an organization or we can invite other accounts to join an organization.
- Service control policy (SCP): A policy that specifies the services and actions that users and roles can use in the accounts that the SCP affects.
Why use AWS Organizations?
- Centralized management of all of your AWS accounts
- Consolidated billing for all member accounts
- Hierarchical grouping of your accounts to meet your budgetary, security, or compliance needs
- Control over the AWS services and API actions that each account can access
- Integration and support for AWS Identity and Access Management (IAM)
How to create AWS Organizations and member accounts?
- Login to your root account and start with an organization. Tip: you will not find “AWS Organization” under the services. Look right-hand side for “Helpful tips”.
2. Choose whether to create the organization with only consolidated billing features or with all features enabled. Tip: Choose “all features enabled” to have features such as policies that enable you to apply fine-grained control over which services and actions that member accounts can access.
3. Now you can see your master account as default. It is marked with a star.
4. Create an Organizational Unit by selecting “Organize accounts” -> “New organizational unit”.
5. Add member accounts —Method 1: By Invite existing AWS account — For this, you need root account email address or AWS account number of invitee account.
6. Add member accounts — Method 2: By creating a new AWS account — For this, you will need a name and email address for the new account. This email address will be the root user for the new account.
To access the accounts in your organization, you must use one of the following methods:
- The account has a root user that you can use to sign in. AWS recommends that you use the root user only to create IAM users, groups, and roles, and then always sign in with one of those. Tip: When login using root account you have to do reset your password using “Forget your password”. This will actually generate your password which will be used to login to the new account as a root user.
- If you create an account in your organization, you can access the account by using the preconfigured role that exists in all new accounts that are created this way. AWS Organizations gives the role a default name of OrganizationAccountAccessRole.
- If you invite an existing account to join your organization, and the account accepts the invitation, you can then create an IAM role that allows the master account to access the invited account, similar to the role automatically added to an account that is created with AWS Organizations.
Managing Organization Policies
Policies in AWS Organizations enable you to apply additional types of management to the AWS accounts in your organization. Policies are enabled only after you enable all features in your organization. You can apply policies to the following entities in your organization:
- A root. A policy applied to a root applies to all accounts in the organization.
- An OU. A policy applied to an OU applies to all accounts in the OU and to any child OUs.
- An account. A policy applied to an account applies only to that one account.